Architectures for Advanced Cryptographic Systems

In the last 20-30 years, the world of modern cryptography has been largely dominated by traditional systems such as the Data Encryption Standard and the RSA algorithm. Such systems have provided a secure way for storing and transmitting information and they are nowadays incorporated in many network protocols and secure storage media. More recently, the increasing advance of crypto-analytical techniques and tools and the emergence of new applications, for example wireless communications and mobile computing, have stimulated the research and development of innovative cryptographic algorithms. These newer systems require a more detailed and sophisticated mathematical formalization and operations, which are not normally supported by general-purpose processors. For example, many basic operations required to implement recently proposed cryptographic algorithms, such as the Advanced Encryption Standard or Elliptic Curve Cryptosystems, are based on arithmetic in finite fields (or Galois fields). This chapter is, thus, intended to give an overview of such developments in modern cryptography. In particular, it aims at giving the 2 Bertoni, Guajardo and Paar Copyright © 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. reader a comprehensive understanding of innovative cryptosystems, their basic structure, alternative existing hardware architectures to implement them, and their performance requirements and characterizations. Emphasis will be made throughout on two important cases: the Advanced Encryption Standard and Elliptic Curve Cryptosystems. INTRODUCTION It is widely recognized that data security will play a central role in the design of future IT systems. Although the PC had been the major driver of the digital economy until a few years ago, recently there has been a shift towards IT applications realized as embedded systems, and it is expected that this trend will continue as we advance into the 21st century. In addition, many of those applications either rely heavily on security mechanisms, including security for wireless phones, faxes, wireless computing, pay-TV, and copy protection schemes for audio/video consumer products and digital cinemas, or they will require security mechanisms to protect data, communications and our privacy. Thus, it is a pressing need to implement security measures and, in particular, cryptographic algorithms on platforms that are part of embedded systems. Traditionally, ASICs have been common components in the design of embedded systems by providing the high performance, low power dissipation and lower price per unit cost that many systems require. Furthermore, ASIC implementations of cryptographic algorithms are more secure than software ones because they cannot be as easily read or modified by an outside attacker. Nevertheless, ASIC implementations suffer from several drawbacks. Among those we can mention: (i) higher development costs and longer design cycles and (ii) lack of flexibility with respect to algorithm and parameter switching in fielded devices. These drawbacks are especially prominent in security applications, which are designed using new security protocol paradigms. Many of the new security protocols decouple the choice of cryptographic algorithm from the design of the protocol. Users of the protocol negotiate, on the fly, the choice of algorithm to use for a particular secure session. Thus, it would be desirable for the devices that will support these applications not only to support a single cryptographic algorithm and protocol, but also to be “algorithm agile;” that is, able to select from a variety of algorithms. For example, IPSec (the security standard for the Internet) allows applications to choose from a list of different symmetric and asymmetric ciphers. In the mid-nineties the use of reprogrammable components, in particular FPGAs, was introduced. FPGAs allowed for faster design cycles than ASICs because they enabled early functionality testing. Nonetheless, the performance and size of FPGAs did not permit them to substitute ASICs in most applications and thus, they were mainly used to prototype embedded chips small enough to Architectures for Advanced Cryptographic Systems 3 Copyright © 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. fit in the FPGA. In recent years, however, FPGA manufacturers have come closer to filling the performance gap between FPGAs and ASICs, enabling them not only to serve as fast prototyping tools, but also to become active players as components in embedded systems (Wong et al., 2002). The trend in both industry (see Altera Corporation, 2000; Altera Corporation, 2002a; Altera Corporation, 2002b; Chameleon Systems; Triscend Corporation; Xilinx Inc., 2002; Xilinx Inc., 2003) and academia (see Bondalapati & Prasanna, 2002; Hauser & Wawrzynek, 1997) is to develop chips which include either embedded components in them, such as memory, I/O controllers, and multiplier blocks, or both system reconfigurable components and programmable cores. The resulting processors/ chips, which are not anymore a single part of an embedded system but rather can be used to develop the whole system, are known by various names ranging from hybrid architectures to Systems-on-Chip (SoC), Configurable System-on-Chip (CSoC), Reconfigurable Systems-on-Chip (RSoC), and Systems on Programmable Chip (SoPC), among others (Bondalapati & Prasanna, 2002). Thus, FPGAs and, in particular, reconfigurable devices are also integral parts in embedded system design. From the above discussion, one can see that the security engineer is faced with the challenge of implementing cryptographic algorithms on both custom hardware and reconfigurable platforms. This chapter provides the reader with a self-contained overview of both traditional (DES and RSA) and newly introduced (AES and ECC) cryptographic algorithms and of the latest trends and architectures used to implement them on hardware platforms such as ASICs and FPGAs. We notice that the implementation of cryptographic systems presents several requirements and challenges. First, the performance of the algorithms is often crucial. One needs encryption algorithms to run at the communication link transmission rates or at fast enough rates that customers do not become dissatisfied. Second, in order to achieve such satisfactory performance, it is imperative to have a good understanding and knowledge of: (i) the encryption algorithms, (ii) the algorithms underlying their implementation (not necessarily the encryption algorithm but algorithms which are used to implement them, such as algorithms for finite field arithmetic), and (iii) the hardware platform. Finally, the security engineer also has to be aware of the latest trends in the design of encryption schemes as well as the latest attacks. This chapter makes emphasis on the implementation aspects. We provide several implementation approaches and compare them, thus allowing the reader to have a wide range of options for different applications. In other words, some applications might require the fastest possible implementation of the AES, without regard to power consumption and/or area, whereas others might want to be optimized for the last two parameters as long as an acceptable performance level is still achievable. Finally, we also hint at possible attacks on implementations and some solutions presented in the literature. 4 Bertoni, Guajardo and Paar Copyright © 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. Chapter Organization The remainder of this chapter is organized as follows. We begin with a brief introduction to cryptography and the mathematical background needed to understand the encryption schemes described in later sections. We make emphasis on definitions and when appropriate give relevant examples and refer the reader to other bibliographical sources for the proofs of theorems that we might use. The next two major sections involve discussions of symmetric and asymmetric cryptosystems. In particular, we discuss DES and AES as prime examples of symmetric schemes and RSA and ECC for the asymmetric case, as these are the most widely deployed algorithms in practical applications. We end this chapter with a short overview of attacks against the above-presented cryptographic schemes and their implementations as well as possible countermeasures. MATHEMATICAL BACKGROUND This section should probably more appropriately be called “An Introduction to Finite Fields,” since these are, by far, the most widely used algebraic structure in the construction of cryptographic schemes. Examples include: the AES, the Diffie-Hellman key exchange protocol and those systems based on solving the difficulty of Discrete Logarithm (DL) problem, and elliptic curve cryptosystems. We refer the reader to Lidl and Niederreiter (1997) for a comprehensive treatment of finite fields. Definition 1. Let S be a set. Then, the mapping from S ́S to S is called a binary operation on S. In particular, a binary operation is a rule that assigns ordered pairs (s,t), with s,t S, to an element of S. Notice that under this definition the image of the mapping is required to be also in S. This is known as the closure property. Groups Definition 2. A group is a set G together with a binary operation * on the set, such that the following properties are satisfied: (i) The group operation is associative. That is *( * ) = ( * )* , for all , , G. (ii) There is an element G, called the identity element, such that *a= * = for all G. (iii) For all G, there is an element -1 G, such that * -1 = -1* = . The element -1 is called the inverse of . If the group also satisfies * = * for all , G, then the group is said to be commutative or abelian. In the Architectures for Advanced Cryptographic Systems 5 Copyright © 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. remainder of this chapter, we will only consider abelian groups unless we explicitly say something to the contrary. Note that we have used a multiplicative group notation for the group operation. If the group operation is written additively, then we talk about an additive group, the identity element is often associated with the zero (0) element, and the inverse element of is written as – . Notation conventions are shown in Table 1. Example 1. (i) The set of integers Z forms an additive group with identity element 0. (ii) The set of reals R forms a group under the addition operation with identity element 0 and under the multiplication operation with identity element 1. (iii) The integers modulo m, denoted by Zm, form a group under addition modulo m with identity element 0. Notice that the group Zm is not a group under multiplication modulo m, since not all its elements have multiplicative inverses. Definition 3. A group G is finite if the number of elements in it is finite, i.e., if its order, denoted |G|, is finite. Definition 4. For n 1, let f(n) denote the number of integers in the range [1,n] which are relatively prime (or co-prime) to n (i.e., an integer a is co-prime to n if gcd(a,n) = 1). The function (n) is called the Euler phi function or the Euler totient function. The Euler phi function satisfies the following properties: (i) If p is prime then (p) = p-1. (ii) The Euler phi function is multiplicative. In other words, if gcd(p,q)=1, then (pq)= (p) (q). (iii) If n = p1e1 p2e21⁄4pkek, is the prime factorization of n, then (n) can be computed as: pk 1 1 2 p 1 1 1 p 1 1 n n Table 1: Notation for common group operations, where G and n and m are integers Multiplicative Notation Additive Notation n = ( multiplied by itself n times) n = ( added to itself n times) -n = ( ) -n = n () n m = n+m n +m = (n+m) ( ) = nm n(m ) = (nm) 6 Bertoni, Guajardo and Paar Copyright © 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. Example 2. Let the set of integers modulo m which are co-prime to m be denoted by Zm. Then, the set Zm under the operation of multiplication modulo m forms a group of order (m) with identity element 1. In particular, if m is prime then (m)= |Zm| = m-1. Definition 5. A group G is cyclic if there is an element G such that for each G, there is an integer i such that =ai. Such an element is called a generator of G and we write G = < >. The order of G, denoted ord( ), is defined to be the least positive integer t such that t= , where is the identity element in G. Notice the difference between the order of an element G (ord(a)) and the order of the group G (|G|). Example 3. (i) The multiplicative group of integers modulo 11, Z11, is a cyclic group with generators 2, 23 = 8 mod 11, 27 = 7 mod 11, and 29 = 6 mod 11. Notice that the powers of two, which result in generators are co-prime to the order of Z11, i.e., 10. In fact, it can be shown that given a generator Zm, = i mod m is also a generator if and only if gcd(i, (m)) = 1. (ii) The additive group of integers modulo 6, Z6, has generators 1 and 5. Rings and Fields Definition 6. A ring, (R,+,*), is a set R together with two binary operations on R, arbitrarily denoted + (addition) and * (multiplication), which satisfy the following properties: (i) (R,+) is an abelian group with identity element denoted by 0. (ii) The operation * is associative, that is, *( * ) = ( * )* , for all , , R. (iii) There is a multiplicative identity element denoted by 1, with 0 1, such that for all a R, *1 = 1* = . (iv) The operation * is distributive over the + operation. In other words, *( + ) = ( * )+( * ) and ( + )* = ( * )+( * ) for all , , R. If the operation * is also commutative, i.e., a*b = b*a, then the ring is said to be commutative. Example 4. (i) The set of integers Z with the usual addition and multiplication operations is a commutative ring. Similarly, the set of rational numbers Q, the set of reals R, and the complex numbers C are all examples of commutative rings with the usual addition and multiplication operations. (ii) The set Zm of integers modulo m with modulo m addition and multiplication operations is a commutative ring. Definition 7. A field F is a commutative ring in which every non-zero element (i.e., all elements except for the 0 element) have multiplicative inverses. Architectures for Advanced Cryptographic Systems 7 Copyright © 2004, Idea Group Inc. Copying or distributing in print or electronic forms without written permission of Idea Group Inc. is prohibited. A subset S of a field F which itself is a field with respect to the operations in F is called a subfield of F. In this case F is said to be an extension field of S. Definition 7 implies that a field F is a set on which two binary operations are defined, called addition and multiplication, and which contains two elements, 0 and 1, which satisfy 0 1. In particular, (F,+,0) is an abelian group with additive identity 0 and (F*,*,1) is an abelian group under the multiplication operation with 1 as the multiplicative identity (F* is the set F without the element 0). The operations of addition and multiplication are related to each other via the distributivity law, i.e., *( + ) = ( * )+( * ) and ( + )* = ( * )+( * ), where the second property follows automatically from the fact that (F*,*,1) is an abelian group under multiplication. Example 5. (i) The set of integers Z with the usual addition and multiplication operations is not a field since not all its elements have multiplicative inverses. In fact only 1 and –1 have multiplicative inverses. (ii) The set of rational numbers Q, the set of reals R, and the complex numbers C are all examples of fields. (iii) The set Zm of integers modulo m with the modulo m addition and multiplication operations is a field if and only if m is prime. For example, Z2, Z3, Z5, etc., are all fields. Definition 8. The characteristic of a field is said to be 0 if times m